From: Nageswara R Sastry <rnsastry@linux.ibm.com>
To: zohar@linux.ibm.com, linux-kselftest@vger.kernel.org,
linux-integrity@vger.kernel.org, mpe@ellerman.id.au,
shuah@kernel.org
Cc: nayna@linux.ibm.com, dja@axtens.net, gcwilson@linux.ibm.com,
Nageswara R Sastry <rnsastry@linux.ibm.com>
Subject: [PATCH 3/3] Add tests to verify kexec of blacklist and non blacklist kernel
Date: Wed, 24 Nov 2021 12:38:02 +0530 [thread overview]
Message-ID: <20211124070802.1765-3-rnsastry@linux.ibm.com> (raw)
In-Reply-To: <20211124070802.1765-1-rnsastry@linux.ibm.com>
Add new tests to verify kexec of blacklisted and non blacklisted
kernel based on ima policy and secureboot state.
Signed-off-by: Nageswara R Sastry <rnsastry@linux.ibm.com>
---
tools/testing/selftests/kexec/Makefile | 3 +-
.../selftests/kexec/kexec_common_lib.sh | 71 +++++++++++++++
.../selftests/kexec/test_kexec_dbx_bk.sh | 90 +++++++++++++++++++
.../selftests/kexec/test_kexec_dbx_nbk.sh | 62 +++++++++++++
4 files changed, 225 insertions(+), 1 deletion(-)
create mode 100755 tools/testing/selftests/kexec/test_kexec_dbx_bk.sh
create mode 100755 tools/testing/selftests/kexec/test_kexec_dbx_nbk.sh
diff --git a/tools/testing/selftests/kexec/Makefile b/tools/testing/selftests/kexec/Makefile
index 806a150648c3..ac1e998e0158 100644
--- a/tools/testing/selftests/kexec/Makefile
+++ b/tools/testing/selftests/kexec/Makefile
@@ -5,7 +5,8 @@ uname_M := $(shell uname -m 2>/dev/null || echo not)
ARCH ?= $(shell echo $(uname_M) | sed -e s/i.86/x86/ -e s/x86_64/x86/)
ifeq ($(ARCH),$(filter $(ARCH),x86 ppc64le))
-TEST_PROGS := test_kexec_load.sh test_kexec_file_load.sh
+TEST_PROGS := test_kexec_load.sh test_kexec_file_load.sh test_kexec_dbx_bk.sh\
+ test_kexec_dbx_nbk.sh
TEST_FILES := kexec_common_lib.sh
include ../lib.mk
diff --git a/tools/testing/selftests/kexec/kexec_common_lib.sh b/tools/testing/selftests/kexec/kexec_common_lib.sh
index e907c3030eb3..9f9383940a93 100755
--- a/tools/testing/selftests/kexec/kexec_common_lib.sh
+++ b/tools/testing/selftests/kexec/kexec_common_lib.sh
@@ -7,6 +7,7 @@ VERBOSE="${VERBOSE:-1}"
IKCONFIG="/tmp/config-`uname -r`"
KERNEL_IMAGE="/boot/vmlinuz-`uname -r`"
SECURITYFS=$(grep "securityfs" /proc/mounts | awk '{print $2}')
+BLACKLIST_BIN_HASH=""
log_info()
{
@@ -244,3 +245,73 @@ check_ima_policy()
[ $? -eq 0 ] && ret=1
return $ret
}
+
+# Look for check_blacklist in IMA Policy
+# Return 1 for found and 0 for not found.
+check_for_ima_policy_blacklist()
+{
+ local ret=0
+
+ check_ima_policy "appraise" "func=KEXEC_KERNEL_CHECK" \
+ "appraise_flag=check_blacklist"
+ ret=$?
+ [ $ret -eq 1 ] && log_info "Found IMA blacklist policy rule"
+
+ return $ret
+}
+
+# Look for blacklist_binary from blacklist keyring
+# Return 1 for found and 0 for not found.
+check_for_dbx_bin()
+{
+ local ret=0
+
+ which keyctl > /dev/null 2>&1 || log_skip "keyctl not found"
+ cmd=$(keyctl show %keyring:.blacklist | grep "blacklist: bin" | wc -l)
+ if [ $cmd -ge 1 ]; then
+ BLACKLIST_BIN_HASH=$(keyctl show %keyring:.blacklist | grep \
+ "blacklist: bin" | cut -d":" -f3)
+ log_info "Found DBX blacklist binary from keyring"
+ ret=1
+ fi
+ return $ret
+}
+
+common_steps_for_dbx()
+{
+ ima_policy=0
+ dbx=0
+ secureboot=0
+
+ # kexec requires root privileges
+ require_root_privileges
+
+ # get the kernel config
+ get_kconfig
+
+ kconfig_enabled "CONFIG_KEXEC_FILE=y" "kexec_file_load is enabled"
+ if [ $? -eq 0 ]; then
+ log_skip "kexec_file_load is not enabled"
+ fi
+
+ kconfig_enabled "CONFIG_SYSTEM_BLACKLIST_KEYRING=y" \
+ "Kernel config blacklist_keyring is enabled"
+ if [ $? -eq 0 ]; then
+ log_skip "Kernel config blacklist_keyring is not enabled"
+ fi
+
+ check_for_ima_policy_blacklist
+ ima_policy=$?
+ if [ $ima_policy -eq 0 ];then
+ log_skip "Not found IMA blacklist policy rule"
+ fi
+
+ check_for_dbx_bin
+ dbx=$?
+ if [ $dbx -eq 0 ]; then
+ log_skip "Not found blacklisted kernel"
+ fi
+
+ get_secureboot_mode
+ secureboot=$?
+}
diff --git a/tools/testing/selftests/kexec/test_kexec_dbx_bk.sh b/tools/testing/selftests/kexec/test_kexec_dbx_bk.sh
new file mode 100755
index 000000000000..212a86be290d
--- /dev/null
+++ b/tools/testing/selftests/kexec/test_kexec_dbx_bk.sh
@@ -0,0 +1,90 @@
+#!/bin/sh
+# SPDX-License-Identifier: GPL-2.0
+#
+# Loading a dbx black listed kernel image via the kexec_file_load syscall
+
+. ./kexec_common_lib.sh
+
+TEST="KEXEC_FILE_LOAD_DBX"
+
+# Read KERNEL_DBX_IMAGE from the environment variable
+KERNEL_DBX_IMAGE=$(printenv | grep KERNEL_DBX_IMAGE | cut -d"=" -f2)
+if [ -z $KERNEL_DBX_IMAGE ]; then
+ env_var="KERNEL_DBX_IMAGE"
+ log_skip "$env_var not found, set using 'export $env_var=value'"
+# KERNEL_DBX_IMAGE=$KERNEL_IMAGE
+# log_info "Continuing with booted kernel"
+fi
+
+# Look for kernel matching with blacklisted binary hash
+check_for_blacklist_kernel()
+{
+ local module_sig_string="~Module signature appended~"
+ local ret=0
+
+ tail --bytes $((${#module_sig_string} + 1)) $KERNEL_DBX_IMAGE | \
+ grep -q "$module_sig_string"
+ if [ $? -eq 0 ]; then
+ log_info "Found $KERNEL_DBX_IMAGE with Module signature"
+ # Remove the signature
+ local hash=$(../../../../scripts/extract-module-sig.pl -0\
+ ${KERNEL_DBX_IMAGE} 2> /dev/null | sha256sum -\
+ |awk -F" " '{print $1}')
+ for b_hash in $BLACKLIST_BIN_HASH
+ do
+ # Make sure test is not going to run on booted kernel
+ if [ "$hash" == "$b_hash" -a \
+ "$KERNEL_IMAGE" != "$KERNEL_DBX_IMAGE" ]; then
+ KERNEL_IMAGE=$KERNEL_DBX_IMAGE
+ ret=1
+ fi
+ done
+ fi
+ return $ret
+}
+
+kexec_file_load_dbx_test()
+{
+ local succeed_msg=$1
+ local failed_msg=$2
+
+ line=$(kexec --load --kexec-file-syscall $KERNEL_IMAGE 2>&1)
+
+ if [ $? -eq 0 ]; then
+ kexec --unload --kexec-file-syscall
+
+ # In secureboot mode with an architecture specific
+ # policy, make sure dbx blacklist exists
+ if [ $secureboot -eq 1 ] && [ $dbx -eq 1 ]; then
+ log_fail "$succeed_msg (secureboot and dbx enabled)"
+ # secureboot mode disabled, and dbx blacklist exists
+ elif [ $dbx -eq 1 ]; then
+ log_fail "$succeed_msg (dbx enabled)"
+ fi
+ fi
+
+ # Check the reason for the kexec_file_load failure
+ if (echo $line | grep -q "Permission denied"); then
+ if [ $dbx -eq 1 ]; then
+ log_pass "$failed_msg (Permission denied)"
+ else
+ log_fail "$succeed_msg"
+ fi
+ fi
+
+ return 0
+}
+
+common_steps_for_dbx
+
+check_for_blacklist_kernel
+bk=$?
+
+if [ $bk -eq 0 ]; then
+ log_skip "Not found blacklisted hash matching kernel"
+fi
+
+# Loading the black listed kernel image via kexec_file_load syscall should fail
+succeed_msg="kexec blacklisted kernel image succeeded"
+failed_msg="kexec blacklisted kernel image failed"
+kexec_file_load_dbx_test "$succeed_msg" "$failed_msg"
diff --git a/tools/testing/selftests/kexec/test_kexec_dbx_nbk.sh b/tools/testing/selftests/kexec/test_kexec_dbx_nbk.sh
new file mode 100755
index 000000000000..8cd09dd79d01
--- /dev/null
+++ b/tools/testing/selftests/kexec/test_kexec_dbx_nbk.sh
@@ -0,0 +1,62 @@
+#!/bin/sh
+# SPDX-License-Identifier: GPL-2.0
+#
+# Loading a dbx black listed kernel image via the kexec_file_load syscall
+
+. ./kexec_common_lib.sh
+
+TEST="KEXEC_FILE_LOAD_DBX_NB"
+
+# Look for kernel matching with blacklisted binary hash
+check_for_non_blacklist_kernel()
+{
+ local module_sig_string="~Module signature appended~"
+ local ret=0
+
+ tail --bytes $((${#module_sig_string} + 1)) $KERNEL_IMAGE | \
+ grep -q "$module_sig_string"
+ if [ $? -eq 0 ]; then
+ log_info "Found $KERNEL_IMAGE with Module signature"
+ # Remove the signature
+ local hash=$(../../../../scripts/extract-module-sig.pl -0\
+ ${KERNEL_IMAGE} 2> /dev/null | sha256sum -\
+ |awk -F" " '{print $1}')
+ for b_hash in $BLACKLIST_BIN_HASH
+ do
+ if ! [ "$hash" == "$b_hash" ]; then
+ ret=1
+ fi
+ done
+ fi
+ return $ret
+}
+
+kexec_file_load_nbk_test()
+{
+ local succeed_msg=$1
+ local failed_msg=$2
+
+ line=$(kexec --load --kexec-file-syscall $KERNEL_IMAGE 2>&1)
+
+ if [ $? -eq 0 -a $secureboot -eq 1 ]; then
+ kexec --unload --kexec-file-syscall
+ log_pass "$succeed_msg (secureboot enabled)"
+ elif (echo $line | grep -q "Permission denied"); then
+ log_fail "$failed_msg (Permission denied)"
+ fi
+
+}
+
+common_steps_for_dbx
+
+check_for_non_blacklist_kernel
+bk=$?
+
+if [ $bk -eq 0 ]; then
+ log_skip "Found blacklisted hash matching kernel"
+fi
+
+# Loading the black listed kernel image via kexec_file_load syscall should fail
+succeed_msg="kexec non blacklisted kernel image succeeded"
+failed_msg="kexec non blacklisted kernel image failed"
+kexec_file_load_nbk_test "$succeed_msg" "$failed_msg"
--
2.23.0
prev parent reply other threads:[~2021-11-24 7:08 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-11-24 7:08 [PATCH 1/3] selftest/kexec: fix "ignored null byte in input" warning Nageswara R Sastry
2021-11-24 7:08 ` [PATCH 2/3] selftests/kexec: Enable secureboot tests for PowerPC Nageswara R Sastry
2021-12-13 23:23 ` Mimi Zohar
2022-01-05 16:09 ` Nayna
2021-11-24 7:08 ` Nageswara R Sastry [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20211124070802.1765-3-rnsastry@linux.ibm.com \
--to=rnsastry@linux.ibm.com \
--cc=dja@axtens.net \
--cc=gcwilson@linux.ibm.com \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kselftest@vger.kernel.org \
--cc=mpe@ellerman.id.au \
--cc=nayna@linux.ibm.com \
--cc=shuah@kernel.org \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.